Update

2026-05-08 00:06:21 +02:00
parent 8092bac6b7
commit e8c9fc52fb
7 changed files with 148 additions and 49 deletions
--- a/modules/server/containers/builder.nix
+++ b/modules/server/containers/builder.nix
@@ -3,7 +3,7 @@ let
  builder =
  { image, secret ? ""
  , subdomain ? "", ip ? "", port ? 0
-  , extraEnv ? { }, extraLabels ? { }
+  , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
  , overrides ? { }
  }:
  let base = {
@@ -23,7 +23,7 @@ let
      "traefik.enable" = "false";
    } // extraLabels;

-    extraOptions = [
+    extraOptions = extraOptions ++ [
      "--add-host=host.containers.internal:host-gateway"
    ] ++ lib.optional (ip != "") "--ip=${ip}";
  };
--- a/modules/server/containers/defs/authentik.nix
+++ b/modules/server/containers/defs/authentik.nix
@@ -1,5 +1,6 @@
 { config, containerCfg, pkgs, lib, builder, ... }:
 let 
+version = "2026.2.2";
 serverCfg = config.syscfg.server;
 in {
  paths = [{
@@ -15,7 +16,7 @@ in {
  containers = {
    server = builder.mkContainer {
      subdomain = containerCfg.subdomain;
-      image = "ghcr.io/goauthentik/server:latest";
+      image = "ghcr.io/goauthentik/server:${version}";
      port = containerCfg.port;
      ip = containerCfg.ip;
      secret = "authentik";
@@ -31,10 +32,12 @@ in {
        "AUTHENTIK_EMAIL__USE_SSL" = "false";
        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
+        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
+        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
      };
      overrides = {
        cmd = [ "server" ];
-        ports = [ "9999:${toString containerCfg.port}" ];
+        ports = if containerCfg.pubPort != 0 && containerCfg.port != 0 then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
        volumes = [
          "${serverCfg.dataPath}/authentik/media:/media"
          "${serverCfg.dataPath}/authentik/templates:/templates"
@@ -43,20 +46,23 @@ in {
    };

    worker = builder.mkContainer {
-      image = "ghcr.io/goauthentik/server:latest";
+      image = "ghcr.io/goauthentik/server:${version}";
      secret = "authentik";
      extraEnv = {
        "AUTHENTIK_REDIS__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
+        "AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
+        "AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
      };
+      extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
      overrides = {
        cmd = [ "worker" ];
        volumes = [
          "${serverCfg.dataPath}/authentik/media:/media"
          "${serverCfg.dataPath}/authentik/templates:/templates"
-          "/var/run/docker.sock:/var/run/docker.sock"
+          "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
        ];
      };
    };